Posts Tagged ‘GCHQ’

Privacy International’s new complaint against GCHQ is like pissing in the wind

May 14, 2014 Leave a comment


Fresh from its success against HMRC, Privacy International (PI) is now taking on GCHQ. It announced Tuesday that it has “filed a legal complaint demanding an end to the unlawful hacking being carried out by GCHQ which, in partnership with the NSA, is infecting potentially millions of computer and mobile devices around the world with malicious software that gives them the ability to sweep up reams of content, switch on users’ microphones or cameras, listen to their phone calls and track their locations.”

This complaint, however, will be like pissing in the wind.

Since it is a complaint against the intelligence services it has to be raised with the UK’s Investigatory Powers Tribunal. Now, if you think my comment is a bit OTT, I invite you to consider the assessment of the Home Affairs Committee – Seventeenth Report: Counter-terrorism, published just last month. In particular, look at Section 6: Oversight of the security and intelligence agencies. It says,

…we wish to take this opportunity to note that in its latest annual report, the Investigatory Powers Tribunal has failed to disclose how many cases were decided in favour of the complainant. The 2010 (inaugural) annual report of the Investigatory Powers Tribunal was a forty page document. The 2011 report was a three page statistical release. The 2012 annual report was a two paragraph new story on its website… The statistics which have been produced by the Investigatory Powers Tribunal indicate that out of 1468 [complaints] the Tribunal has received it has decided in the favour of ten complainants. None of the ten successful complaints were made against the security service.

So only 0.68% of complaints to the Investigatory Powers Tribunal are upheld – and none of those relate to complaints against the intelligence services despite 30% of the 2010 complaints being leveled against an intelligence agency.

Sir Anthony May

Sir Anthony May

There are two other officers also responsible for oversight of GCHQ: the Interception of Communications Commissioner (Sir Anthony May), and the Intelligence Services Commissioner (Sir Mark Waller). Also last month, on the same day that the ECJ ruled the European Data Retention Directive to be invalid, the Interception Commissioner’s annual report was laid before parliament. He considered at some lengths GCHQ, RIPA and the Snowden files.

It is ultimately a matter of policy whether the interception agencies, duly authorised under RIPA 2000 Part I Chapter I and subject to its safeguards, should continue to be enabled to intercept external communications, so far as they are lawfully and technically able, in order to assist their functions of protecting the nation and its citizens from terrorist attack, cyber attack, serious crime and so forth. If the policy answer to that question is yes (which I personally should have thought was obvious)…
2013 Annual Report of the Interception of Communications Commissioner

He is, then, personally predisposed towards GCHQ’s international hacking habits.

His report also asks, “Do the interception agencies misuse their powers under RIPA 2000 Part I
Chapter I to engage in random mass intrusion into the private affairs of law abiding UK citizens who have no actual or reasonably suspected involvement in terrorism or serious crime?”

And it answers, “The interception agencies do not engage in indiscriminate random mass intrusion by misusing their powers under RIPA 2000 Part I.” Now, since the Tribunal will undoubtedly query the commissioner on whether Privacy International’s complaint is valid, we can begin to see that it’s not going to get very far.

Sir Mark Waller source: The Guardian

Sir Mark Waller
source: The Guardian

But let it not be said that the overlookers providing oversight on GCHQ are not sufficiently thorough in their overlooking. This is part of the Intelligence Services Commissioner’s testimony, verbatim, to the Home Affairs committee:

Chair: You went down to GCHQ.

Sir Mark Waller: Yes.

Chair: You went to see who there?

Sir Mark Waller: I saw the second head of the agency, in fact.

Chair: How did you satisfy yourself? It seems, from your comment, that what you did was you had a discussion with them, you heard what they had to say and you have accepted what they had to say.

Sir Mark Waller: Certainly.

Chair: Is that it?

Sir Mark Waller: Certainly.

Chair: Just a discussion?

Sir Mark Waller: Certainly.

Chair: Nothing else?

Sir Mark Waller: Certainly.

It’s not as if Privacy International is demanding very much. It is just seeking from the Investigatory Powers Tribunal:

A declaration that the matters set out in the complaint are well founded and GCHQ’s conduct has been unlawful, an injunction restraining any similar future conduct, an order requiring the destruction of any information unlawfully obtained and a public judgment.

But to say that Privacy International’s claim against GCHQ in face of these guardians of the public good is just pissing in the wind is probably an understatement – pissing into a force 8 gale is more accurate. It’s never going to happen.

But there is just one glimmer. Once PI has exhausted all national options it should be able to take the matter to the European Court – the same court that recently struck down the Data Retention Directive and has just ruled against Google.

Categories: All, Politics, Security Issues

Diplomat to be new head of GCHQ

April 16, 2014 Leave a comment
Robert Hannigan -- new head of GCHQ

Robert Hannigan — new head of GCHQ

The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.

Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian

The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.

The Guardian goes on to give an example of Hannigan’s diplomacy:

Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.

The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.


Categories: All, Politics, Security Issues

The Heartbleed bug and SSL implementations

April 9, 2014 1 comment

heartbleedlogoLike the tree falling in the forest, we simply do not know if the Heartbleed bug was ever exploited. The problem is that exploiting it makes no sound.

The Heartbleed bug is a fault in the implementation of the Heartbeat extension to OpenSSL. The effect is to expose up to 64kb of supposedly encrypted traffic in plaintext. That plaintext would likely include the encryption keys, user credentials (ID and password) and message content. But exploiting the bug leaves no trace in the logs, so in theory it could have been used by hackers at any time or ever since the flaw was introduced several years ago.

This potential problem is huge. “Just one application that uses OpenSSL, Apache, is used to run 346 million public websites or about 47 percent of the Internet today” explains Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi. “And the problem is even larger since this doesn’t include the tens of millions of behind-the-firewall applications, devices and appliances that run Apache and use OpenSSL.”

An update to OpenSSL has been released, and hopefully the faulty implementations are being fixed. The encryption keys are being changed and all should be well soon. But will it?

Once the SSL keys are known, then all previous messages could be decrypted. So if any attacker has been sniffing and storing messages, and has at any time obtained those keys, then those stored messages could be decrypted (unless forward secrecy – which provides new keys for each message – was being used). Forward secrecy is only now becoming more popular for precisely such a concern.

The elephant, of course, is the NSA and GCHQ (and to a lesser extent probably every other national intelligence agency in the world). On the plus side, there is no indication in the Snowden files released so far to suggest that the NSA knew about or used this bug. The downside is that unless they wrote about it, we would probably never know.

Meanwhile, researchers have been trying to discover which services use vulnerable versions of OpenSSL and have put their users at risk. Filippo Valsorda produced a test site to check whether particular sites are vulnerable. “Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk,” commented Graham Cluley this morning.

More worrying, however, is that Yahoo was affected (although it has been fixed now). The problem with Yahoo is that we know that GCHQ had been intercepting and storing Yahoo traffic.

Qualys has also added Heartbleed detection to its SSL test site. The advantage of this site is that it provides a detailed analysis of a website’s overall SSL implementation. The two graphics show summary the results from Yahoo (after fixing Heartbleed: A) and a site operated by a major security company (which should really do better: F).






Although Yahoo has now fixed the Heartbleed bug, Yahoo users should all consider changing their passwords – just in case.

Categories: All, Security Issues

Censorship is alive and well in Britain today

April 5, 2014 1 comment

Last week I proposed an experiment. Index on Censorship had discussed what it calls ‘censorship by omission’; suggesting that a form of censorship exists in Britain through simple lack of information. This is censorship by omission rather than censorship by suppression.

At the same time, Der Spiegel published details from the Snowden files indicating that GCHQ had been involved in hacking German satellite communications companies. Glenn Greenwald described it in The Intercept:

One undated document shows how British GCHQ operatives hacked into the computer servers of the German satellite communications providers Stellar and Cetel, and also targeted IABG, a security contractor and communications equipment provider with close ties to the German government. The document outlines how GCHQ identified these companies’ employees and customers, making lists of emails that identified network engineers and chief executives. It also suggests that IABG’s networks may have been “looked at” by the NSA’s Network Analysis Center.

My ‘experiment’ was simple. We know that the UK government has been trying to suppress reporting on GCHQ revelations through its involvement in the physical destruction of hard disks at The Guardian. So, I suggested, “Over the next few days it will be worth seeing just how much coverage this very major, very important story actually generates in the British mainstream press.”

The result? None.

It’s not a scientific experiment because I haven’t read all of the British mainstream national press from cover to cover since that time. Instead, this morning I used Google and searched on keywords from the Greenwald paragraph:

GCHQ Stellar Cetel IABG germany satellite communications

Searching the web got 3390 returns. In the top four pages (that’s all I checked) there is no single national British newspaper included. (My ‘experiment’ came in at #10, last on the first page.)

Searching the news had just five hits: Register, Help Net Security, IT News, TIME and Engadget.

Nothing whatsoever from any of the British national press.

The conclusion has to be that Britain suffers under a regime of censorship by omission. What we don’t know is how much of this ‘omission’ is effected by government pressure, nor whether Google has been persuaded to reduce the search rankings of any published articles — making it actually censorship by suppression.

Categories: All, Politics, Security Issues

Don’t let the government or the tech giants fool you into thinking anything is changing

April 1, 2014 Leave a comment

When Bruce Schneier left the employ of BT, he finally got off the pot. His natural inclinations can now be seen. He still hasn’t criticised BT despite it being obvious that BT is no more innocent than any of the big American telecoms companies — but he told me (by email) at the time that he tried to avoid getting involved in foreign politics.

Bruce Schneier: photo by Doug Logan

Bruce Schneier — the ex-BT, anti-surveillance privacy guru

He hasn’t been 100% consistent in this. When Swedish journalists discovered Swedish involvement in the MITM NSA/GCHQ hacking program known as Quantum, he said, “Both Quantum and FoxAcid are NSA/GCHQ programs to attack computer users. The fact that Sweden is involved in these programs means that Sweden is involved in active attacks against internet users. It is not just passive monitoring. This is an active attack.”

One day we may yet hear what he knows about BT’s cooperation with GCHQ (Tempora et al).

In the meantime, he is now no longer backward in commenting on surveillance in general and the NSA in particular. An article in The Atlantic last week warns us not to listen uncritically to the protestations of either the NSA or the tech giants that now appear to be up in arms against this NSA hacking and surveillance.

The tech giants (Google, Facebook, Yahoo, Microsoft etcetera) all claim to be doing what they can to prevent further snooping. But they are not doing the one thing that would work — they are not encrypting user data on servers in a way that would be impossible for governments to demand the keys. And the reason they are not doing this is simply because the vendors and the governments both want the same thing — to be able to read our data.

The best we have are caveat-laden pseudo-assurances. At SXSW earlier this month, CEO Eric Schmidt tried to reassure the audience by saying that he was “pretty sure that information within Google is now safe from any government’s prying eyes.” A more accurate statement might be, “Your data is safe from governments, except for the ways we don’t know about and the ways we cannot tell you about. And, of course, we still have complete access to it all, and can sell it at will to whomever we want.”
Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

The reality is that for so long as the vendors want access to our data, the governments will be able to demand it. Neither of that is changing; although both sides are trying to pretend it is.

Categories: All, Politics, Security Issues

Britain: a land of censorship by omission

March 29, 2014 Leave a comment

Let’s all try a little experiment.

Index on Censorship warned today about what it calls ‘censorship by omission’ in the UK. The suggestion is not that the British are told what to think by the UK press, but that they are controlled over what they are allowed to think about. It suggests that serious news can be omitted from print while newspapers guide their readers to less important, or even old, news.

The British news spectrum was recently obsessed with Labour politicians Harriet Harman and Patricia Hewitt, who worked for the National Council for Civil Liberties (now ‘Liberty’) in the 1970s. That council granted affiliate status to the now-banned Paedophile Information Exchange (PIE). The Daily Mail made a huge splash about its PIE investigation in February, despite uncovering no new information. That paper alone had reported the same story in 1983, 2009, 2012 and 2013. Eventually the BBC, online world and print media all covered the controversy, meaning more worthy issues lost precedence.
British news blind spots: Omission and obscurity

The result, warns Index on Censorship, is a form of censorship by omission:

We’re denied investigation or campaigning on vital issues because nobody knows they exist.

So here’s our experiment. Let’s see over the next few days just how much coverage we get on the Snowden files released today by Der Spiegel. Quoted by Glenn Greenwald’s new publication, The Intercept, this includes:

One undated document shows how British GCHQ operatives hacked into the computer servers of the German satellite communications providers Stellar and Cetel, and also targeted IABG, a security contractor and communications equipment provider with close ties to the German government. The document outlines how GCHQ identified these companies’ employees and customers, making lists of emails that identified network engineers and chief executives. It also suggests that IABG’s networks may have been “looked at” by the NSA’s Network Analysis Center.

The ultimate aim of GCHQ was to obtain information that could help the spies infiltrate “teleport” satellites sold by these companies that send and receive data over the Internet. The document notes that GCHQ hoped to identify “access chokepoints” as part of a wider effort alongside partner spy agencies to “look at developing possible access opportunities” for surveillance.

In other words, infiltrating these companies was viewed as a means to an end for the British agents. Their ultimate targets were likely the customers. Cetel’s customers, for instance, include governments that use its communications systems to connect to the Internet in Africa and the Middle East. Stellar provides its communications systems to a diverse range of customers that could potentially be of interest to the spies – including multinational corporations, international organizations, refugee camps, and oil drilling platforms.
Der Spiegel: NSA Put Merkel on List of 122 Targeted Leaders

So let’s be very clear here. This is a direct accusation that GCHQ has been hacking into the telecommunications products of friendly companies in allied nations. Over the next few days it will be worth seeing just how much coverage this very major, very important story actually generates in the British mainstream press.

Here’s my prediction — and I genuinely hope I am proved very wrong: there will be serious coverage in the Guardian and Independent (read by very few who don’t already know that GCHQ is hack-crazy and law-breaking); some coverage in the Telegraph (read by hardly anyone); dismissive, brief coverage by the BBC; and preciously little else.

Let’s see.

Categories: All, Politics, Security Issues